Re: Removing ALL_ views from users

Just so I understand you correctly, you took a list of each of the ALL_
views, and revoked each of them from PUBLIC? Any database problems
afterward? Which database version?

Thanks,
Dennis

On Tue, Mar 31, 2009 at 11:10 AM, <Mayen.Shah_at_lazard.com> wrote:

>> I had similar request from auditors. I lost half the battle. Instead of> dropping ALL_ views, I revoked PUBLIC privilege to satisfy auditors. When> developers complained, I asked them to get approval from auditors...never> heard back.>> Thanks> Mayen>>>>>> *"Dennis Williams" <oracledba.williams_at_gmail.com>*> Sent by: oracle-l-bounce_at_freelists.org>> Mar 31 2009 12:03 PM Please respond to> oracledba.williams_at_gmail.com>> To> "Andrew Kerber" <andrew.kerber_at_gmail.com>> cc> "oracle-l_at_freelists.org" <oracle-l_at_freelists.org> Subject> Re: Removing ALL_ views from users>>>> Thanks Andrew,>> That was pretty much my first response. Unfortunately this has gone further> than that. What I'm asking is:>> Has anyone removed access to any of the ALL_ views?>> I'm guessing that since the views are PUBLIC, that would need to be revoked> first.>> Thanks,> Dennis>> On Mon, Mar 30, 2009 at 9:40 AM, Andrew Kerber <*andrew.kerber_at_gmail.com*<andrew.kerber_at_gmail.com>>> wrote:> You are talking to an ignorant auditor who thinks the all views show> everything in the database. If he seriously thinks that knowing other> usernames is a security risk, go ahead and revoke that one, then explain to> him that the all* views actually just show objects that each user has access> to, not everything in the database. I ran into this before, and the problem> was the guy was trained in accounting, not oracle.>>> On Mon, Mar 30, 2009 at 9:32 AM, Dennis Williams <*> oracledba.williams_at_gmail.com* <oracledba.williams_at_gmail.com>> wrote:> List,>> Some security auditors are stating that the ALL_ views are a security risk> and are recommending that I revoke them. In particular, they are pointing to> ALL_USERS as offering a hacker useful information. My guess is that the ALL_> views are granted to PUBLIC. Has anyone had this requirement? Has anyone> successfully revoked this access?>> Dennis>>>> --> Andrew W. Kerber>> 'If at first you dont succeed, dont take up skydiving.'>>